P2E-related virus?

[Marion Waine]

Hoping for some improvement after the latest update from AVG today at 1959 hrs I was sadly disappointed. As a test I downloaded from Creating Slideshows forum, 'Cold' and 'A New Day'.

Without unzipping, a manual scan on each file told me 'Cold' is clean, A New Day', virus found. Both have been left unzipped for the time being.

I wish to reinstall Friday's deleted files from a back up on CD, hoping AVG will have sorted this tomorrow. Not holding my breath though!

Hi

I too am running AVG on my main computer. Friday it detected 38 of my exe files as having the PSW.Banker trojan and 'healed' quite a few of them, including 'The Barn' and 'A New Day' before I could stop it! Both were made some time ago but I'm not sure on what version of PTE. I was going to retrieve them from the Virus Vault but it seems from previous correspondence in the Forum they might be useless. Fortunately I also have them on the laptop (running Norton).

Have been away for the weekend and was hoping that AVG would have fixed the problem by now. It's great to have this Forum to look at, I'd be really panicking if it wasn't for it!!

Thanks

Marion

[artemis]

Hi

I too am running AVG on my main computer. Friday it detected 38 of my exe files as having the PSW.Banker trojan and 'healed' quite a few of them, including 'The Barn' and 'A New Day' before I could stop it! Both were made some time ago but I'm not sure on what version of PTE. I was going to retrieve them from the Virus Vault but it seems from previous correspondence in the Forum they might be useless. Fortunately I also have them on the laptop (running Norton).

Have been away for the weekend and was hoping that AVG would have fixed the problem by now. It's great to have this Forum to look at, I'd be really panicking if it wasn't for it!!

Thanks

Marion

I'd been concerned about this all day Marion, thinking I might have passed it to you with my AV!

Chris

[Nathan]

I've been using A2 squared for some time, basically as an anti spyware program along with three others. With it's almost daily updates A2 is becoming more and more reliable in detecting malware, particularily Trojans, 50,000 it claims to safeguard against.

After AVG reported "A New Day" to be infected, A2 came into play and it's scan reported "no malware detected". That was good enough for me, no real need for concern. Should AVG not rectify this situation within a few days then I'll be looking for another AV.

Link for A2 should anyone be interested: http://www.emsisoft.com/en/software/free/

[fromatoz]

Or try AntiVir. It's always among the best.

http://www.free-av.com

(There is also a free version.)

[Barry Beckham]

I had a call from a customer of my tutorial CD's who bought them some time ago and suddendly his system is picking up a virus when it didn't before.

I explained the problem and referred him to this forum.

Thanks for all the info, my reply to him sounded well informed and up to date thanks to you guys and Igor.

These things happen

Barry

[Ken Cox]

Some of this is repetitive but is from my daily log and i want to communicate ASAP before any more things happen – it has been a long weekend

AVG FALSE DETECTION

The AVG update only affected shows made with Ver. 4.30

I think we need to know what each members anti virus program does when it detects a virus – false or real. The Grisoft AVG users have pretty well documented what it does, but we do not know what the other programs do for our own education – we now know that AVG puts it in the vault, but if it heals it and returns it to the folder it came from it renders the EXE useless

In my case the AVG GUI is not in the startup group but AVG itself is and scans incoming mail. In this state it will not allow me to even send an eicar.com test file. For testing purposes i have eicar files placed on my drives to make sure the anti virus program is detecting

See

http://www.rexswain.com/eicar.html

when i run the free McAfee Stinger program

http://vil.nai.com/vil/stinger/

and it comes to the eicar test files it triggers the AVG program and a virus detected screen comes up and stays up for X# of seconds – it is set to continue scanning after the screen times out .

I do not let AVG run scheduled scans, i run forced scans of specific files/folders, the other day when this problem came up i did a forced scan of the folder that holds most of my folders of p2e shows – at present it is 7.89 GB, contains 18,497 files in 634 folders. Too bad i did not take the test results of the stinger program which did not detect any Trojans.

When i run a shell extension test of a specific folder i get a screen that gives many options if it detects something

Heal, delete, etc. as well as close

I will insert a picture showing this screen

Sunday, October 09, 2005 FROM AVG 6:24 AM

Added detection of new variant of I-Worm/Mytob, BackDoor.Hupigon, new variants of trojans PSW.Legendmir, PSW.Banker, Pakes, Clicker.

But AVG still detects the test file provided by Igor as having the PSW.Banker HMQ trojan

So if anybody else can add information re how your anti virus conducts itself please add it to this thread

Ken

Monday, October 10, 2005

this morning's AVG update seems to have repaired the problem - the test file from Igor tests clean and can be removed from the zip and functions. I am in the process of documenting the files that were in the vault

-- I have tested 3 of mine + Igor's test file and they are fine

the forum seems to be down at present 06:25 so cannot enter this info to forum

So what did we learn from this - we had the same thing happen with Norton and Kaspersky 3 yrs ago with a false virus. Our membership has grown and we don’t hear from a lot of old members -- maybe they are ones that Norton nailed - so we still don’t know how it handled the situation as far as healing files - Igor was able to get them to solve within 2 days -- took AVG +- 4 days to get it right and from all reports they were not too cooperative.

In my case i should have done nothing as i had just run the latest McAfee stinger

http://vil.nai.com/vil/stinger/

and come up clean.

I am just glad i am not set up to run scheduled scans and i do not rely on auto update because i want to know when something updates my system

but what will we do next time:)

and then the new Invision board was unstable during all this and still is so communicating to the forum as to the status of the problem was very difficult to do

Grisoft AVG Ver.: 7.0.344/Virus Database:267. 11.14/127 Release Oct 10 /2005

http://www.grisoft.com/html/us_updt.php

Monday, October 10, 2005

AVI: 267.11.14

min. AVI: 267.0.0 Added detection of new variant of I-Worm/Mytob, BackDoor.Hupigon, new variants of Trojan’s PSW.Legendmir,PSW.Banker,PSW.Lineage. October 10, 2005 490.4 kB AVI: 267.11.14

min. AVI: 267.11.0 Added detection of new variant of I-Worm/Mytob, BackDoor.Hupigon, new variants of Trojan’s PSW.Legendmir,PSW.Banker,PSW.Lineage. October 10, 2005 71.4 kB AVI: 267.11.14 Added detection of new variant of I-Worm/Mytob, BackDoor.Hupigon, new variants of Trojan’s PSW.Legendmir,PSW.Banker,PSW.Lineage. October 10, 2005 5.2 MB IAVI: /127 Added detection of new variant of I-Worm/Mytob, BackDoor.Hupigon, new variants of Trojan’s PSW.Legendmir,PSW.Banker,PSW.Lineage. October 10, 2005 716.7 kB

We need feedback from other users how their anti virus handles things .

i use the free version of AVG and am used to its functions but i learned a heck of a lot more these past few days -- i hear of horror stories of Norton and McAfee on my XP newsgroups and never really heard AVG get slammed - rather lots of recommends for it.

i have been a paid user of Computer Associates International,

http://www.my-etrust.com/WhyCA.aspx?lang=en-us

for many years but they only came up a vault this past year and their customer service i don't care for [will say no more] so it is updated daily but is not running scans - it can do a forced scan -- and did not test the files with it lot of Monday morning quarterbacking going on - but at least i am admitting my own mistakes:))

so i am in a quandary at present

I would suggest that Igor make available small test file’s similar to the one he has made available with each version of p2e and when we update our anti virus dat files run it on the test file and possibly we will not go thru this exercise again

Now Grisoft’ AVG may not be a big name in Antivirus but Norton and Kaspersky are and it did the same as AVG has just done.

This is going take a lot of work for all but i think it is a “must do”.

ken

http://www.my-etrust.com/WhyCA.aspx?lang=en-us

http://www.grisoft.com/html/us_updt.php

http://vil.nai.com/vil/stinger/

http://www.rexswain.com/eicar.html

[Marion Waine]

Hi Ken

Just read your last posting and was glad to learn that AVG had sorted it. On my computer AVG normally updates itself but it obviously hadn't gotten round to it today as I again checked my CD with 'The Barn' on it and it still showed the virus. After manually updating AVG I have a big smile on my face - all clear!

Thanks again to all

Marion

[Nathan]

Thanks Ken, seeing your post AVG had rectified matters I updated earlier rather than wait for scheduled time. Downloaded 'A New Day' once again as the test, AVG gives it the all clear.

All that's needed now is create a new Restore point as AVG had moved files from there into the vault on it's scheduled scan. Scheduled scan times now removed, another lesson learned, best do some things manually.

Thanks again, Nathan.

[artemis]

I was very very happy to read that AVG have sorted out the problem today, so I updated my free AVG just an hour ago, re-booted my computer and scanned one of my "suspect" exe files. AVG free immediately came up with a Trojan alert just as it had done over the weekend.

So, I downloaded the version of the AV that we have on Beechbrook (DPAGB on page 4 of the Beechbrook downloads). As soon as I started the AV up, AVG sprang into action and gave me the alert that it had found psw.banker.hmq again.

I am sorry I cannot tell you which version of P2E this was made from, though this version of the AV was dated Sept 2004.

I would be interested for someone else to download DPAGB from Beechbrook and check it against their AVG installation in case there's something I am missing!!

Thanks

Chris

[Ken Cox]

Mike

according to my files i originally downloade you file sept 14 2004, i would suspect from the time frame you made it from ver 4.3 -it was on page 1 sept 28 04

sept 2004 was the appprox date of my files that were put in the vault.-- they were restored this morning after avg issued an update -- and have jst completed testing all the exe's and removed same from the vault

the original file has since been removed from hd to dvd storage.

so i just downloaded it and scanned it with avg and the test came out clean -- no virus

i am running

Grisoft AVG Ver.: 7.0.344/Virus Database:267. 11.14/128 Release Oct 10 /2005

just updated 2nd time today at +- 17:00 hrs

ken

fyi

k

avg have just issued another update today at 17:10 edst

tested same on 4.3 test file ok

sorry have not tested same on any other versions:))

AVI: 267.11.14

min. AVI: 267.0.0 Added detection of new variant of I-Worm/Bagle, I-Worm/Mytob, I-Worm/Zafi. October 10, 2005 490.4 kB

AVI: 267.11.14

min. AVI: 267.11.0 Added detection of new variant of I-Worm/Bagle, I-Worm/Mytob, I-Worm/Zafi. October 10, 2005 71.4 kB

AVI: 267.11.14 Added detection of new variant of I-Worm/Bagle, I-Worm/Mytob, I-Worm/Zafi. October 10, 2005 5.2 MB

IAVI: /128 Added detection of new variant of I-Worm/Bagle, I-Worm/Mytob, I-Worm/Zafi. October 10, 2005 719.4 kB

[Ken Cox]

THIS MORNING'S MAIL BROUGHT THIS

KEN

Dear Sir/Madam,

Thank you for your email.

With the latest virus base update, the files are not being detected as infected anymore, so please update your virus base and the problem should be solved.

Best regards,

Tomas Slama

AVG Technical Support

website: http://www.grisoft.com

mailto: technicalsupport@grisoft.com

[Ken Cox]

THIS MORNING'S MAIL BROUGHT THIS

KEN

Dear Sir/Madam,

Thank you for your email.

With the latest virus base update, the files are not being detected as infected anymore, so please update your virus base and the problem should be solved.

Best regards,

Tomas Slama

AVG Technical Support

website: http://www.grisoft.com

mailto: technicalsupport@grisoft.com

[Marion Waine]

I decided to have a go at restoring some of my files by right clicking on them in the Virus Vault and clicking Restore File(s), as I wanted to see if mine had been corrupted. I tried three and watched them carefully for any problems and they all worked fine.

Marion

[Hemjr]

Just a note to the forum that I too had this problem and it identified 32 files with the psw. Banker problem. The oldest file was a PTE show I generated in May of 1993. Not sure what version it was. I have updated AVG and restored the files. They all seem to be working now.

Thanks for all the input in this forum. It has been a great help.

Howard

[Igor]

The problem with false detection of slide-shows created in PicturesToExe v4.30 was solved yesterday. Please update your AVG antivirus. Here is response from AVG developers:

-----------------------------------------------------------------------------

Thank you for your email.

This False-positive is probably corrected in the latest AVG Update.

Please download all available AVG updates and try to check if the

problem persists.

-----------------------------------------------------------------------------

[artemis]

Mike

according to my files i originally downloade you file sept 14 2004, i would suspect from the time frame you made it from ver 4.3 -it was on page 1 sept 28 04

sept 2004 was the appprox date of my files that were put in the vault.-- they were restored this morning after avg issued an update -- and have jst completed testing all the exe's and removed same from the vault

the original file has since been removed from hd to dvd storage.

so i just downloaded it and scanned it with avg and the test came out clean -- no virus

i am running

Grisoft AVG Ver.: 7.0.344/Virus Database:267. 11.14/128 Release Oct 10 /2005

just updated 2nd time today at +- 17:00 hrs

ken

fyi

k

Many thanks for your touble Ken, though I'm Christine, not Mike - we are co-authors!! Nice to meet you.

My copy is also now scanning clean, so end of story, but what a lot of wasted hours this weekend!!

[Ken Cox]

Just a note to the forum that I too had this problem and it identified 32 files with the psw. Banker problem. The oldest file was a PTE show I generated in May of 1993. Not sure what version it was. I have updated AVG and restored the files. They all seem to be working now.

Thanks for all the input in this forum. It has been a great help.

Howard

Howard please look at your date again

from the history file pf p2e

PicturesToExe v1.00 (July 2nd, 1999)

------------------------------------

* Released PicturesToExe v1.00

ken

[Hemjr]

Howard please look at your date again

from the history file pf p2e

PicturesToExe v1.00 (July 2nd, 1999)

------------------------------------

* Released PicturesToExe v1.00

ken

Ken, You are right, I had the wrong date. The original PTE show was done in May of 1993, but I went back in at a later date and added music. Since the file was quarenteened and then restored later, the restore date was the date showing on the file properties. So, I can not be real sure what the true original date was.

Thanks for your response. Glad the problem has been corrected.

Howard

[Ken Cox]

grisoft avg has issued new dat files

Added detection of new variant of I-Worm/Bagle, new variant of trojan PSW.Banker

see

http://www.grisoft.com/html/us_updt.php

i checked Igors test file ver 4.3 and it tested clean

and 4.42 also tested clean

so keep your heads up because the last time there was very little info re psw.banker

ken